diff options
author | Andreas Schneider <asn@samba.org> | 2020-06-15 11:50:16 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2020-06-17 17:42:02 +0000 |
commit | 53e3a959b958a3b099df6ecc5f6e294e96bd948e (patch) | |
tree | 63e0cbc0729147a8a868c714f6ea9782628c6f6c /source3/param | |
parent | 3d1b6ddcd0a1cee2eaeed5cc8bb38a8e8cdc1891 (diff) | |
download | samba-53e3a959b958a3b099df6ecc5f6e294e96bd948e.tar.gz |
s3:lib:tls: Use better priority lists for modern GnuTLS
We should use the default priority list. That is a good practice,
because TLS protocol hardening and phasing out of legacy algorithms,
is easier to co-ordinate when happens at a single place. See crypto
policies of Fedora.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 17 17:42:02 UTC 2020 on sn-devel-184
Diffstat (limited to 'source3/param')
-rw-r--r-- | source3/param/loadparm.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index ce2aca2c5a4..0ceaa7d8edf 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -886,8 +886,15 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem"); lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem"); lpcfg_string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem"); - lpcfg_string_set(Globals.ctx, &Globals.tls_priority, - "NORMAL:-VERS-SSL3.0"); +#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND + lpcfg_string_set(Globals.ctx, + &Globals.tls_priority, + "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0"); +#else + lpcfg_string_set(Globals.ctx, + &Globals.tls_priority, + "NORMAL!-VERS-SSL3.0"); +#endif lpcfg_string_set(Globals.ctx, &Globals.share_backend, "classic"); |